425266 - Crash [@ JS_GetFunctionName][@ PR_Lock - js_GetStringBytes] starting venkman

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

Start Firefox, invoke Venkman, Crash

#5  0x00002aaaaad5d73e in JS_GetFunctionName (fun=0x18d6c000)
    at /work/mozilla/builds/1.9.0/mozilla/js/src/jsapi.c:4239
#6  0x00002aaab040b6ad in jsd_GetScriptFunctionName (jsdc=0x18aad300, 
    jsdscript=0x18d782c0)
    at /work/mozilla/builds/1.9.0/mozilla/js/jsd/jsd_scpt.c:461
#7  0x00002aaab04068dd in JSD_GetScriptFunctionName (jsdc=0x18aad300, 
    jsdscript=0x18d782c0)
    at /work/mozilla/builds/1.9.0/mozilla/js/jsd/jsdebug.c:291
#8  0x00002aaab0417358 in jsdScript (this=0x1a7141a0, aCx=0x18aad300, 
    aScript=0x18d782c0)
    at /work/mozilla/builds/1.9.0/mozilla/js/jsd/jsd_xpc.cpp:992
#9  0x00002aaab041d2b5 in jsdScript::FromPtr (aCx=0x18aad300, 
    aScript=0x18d782c0)
    at /work/mozilla/builds/1.9.0/mozilla/js/jsd/jsd_xpc.h:155
#10 0x00002aaab041745b in jsdService::EnumerateScripts (this=0x18a4e100, 
    enumerator=0x1a6735a0)
    at /work/mozilla/builds/1.9.0/mozilla/js/jsd/jsd_xpc.cpp:2712

from <http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&signature=JS_GetFunctionName&query=JS_GetFunctionName&range_value=1> this appears to be very recent. Maybe a bug in venkman 0.9.87.3 or maybe something else.

Comment 1

[Bob Clary [:bc] (inactive)]

fyi, i could only reproduce this with a debug build, not any nightlies.

Comment 2

[Mike Schroepfer]

Given we can't repro in nightlies not going to block - if we can or this is worse please re-nom.

Comment 3

[Henrik Skupin [:whimboo][⌚️UTC+2]]

There are reports listed for official nightly builds:
http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&signature=PR_Lock&query=PR_Lock&range_value=1

Mostly it seems to happen with Gmail opened in a tab - as I can see from the comments. Yesterday I got the same crash under OS X 10.5 when I tried to start Venkman. Now I can clearly reproduce this crash with following steps:

1. Open Gmail and log into your account
2. Start Venkman
=> Crashes each time immediatelly

Here two of the stacks examined (first 10 frames):

0  	PR_Lock  	 mozilla/nsprpub/pr/src/pthreads/ptsynch.c:211
1 	js_GetStringBytes 	mozilla/js/src/jsstr.c:3217
2 	JS_GetFunctionName 	mozilla/js/src/jsapi.c:5302
3 	jsdScript::jsdScript(JSDContext*, JSDScript*) 	mozilla/js/jsd/jsd_xpc.cpp:992
4 	jsdService::EnumerateScripts(jsdIScriptEnumerator*) 	mozilla/js/jsd/jsd_xpc.cpp:155
5 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
6 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
7 	XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) 	mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1473
8 	js_Invoke 	mozilla/js/src/jsinvoke.c:1287
9 	js_Interpret 	mozilla/js/src/jsinterp.c:4841
10 	js_Invoke

0  	js_GetGCStringRuntime  	 mozilla/js/src/jsgc.c:1138
1 	js_GetStringBytes 	mozilla/js/src/jsstr.c:3203
2 	JS_GetFunctionName 	mozilla/js/src/jsapi.c:5302
3 	jsdScript::jsdScript(JSDContext*, JSDScript*) 	mozilla/js/jsd/jsd_xpc.cpp:992
4 	jsdService::EnumerateScripts(jsdIScriptEnumerator*) 	mozilla/js/jsd/jsd_xpc.cpp:155
5 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
6 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
7 	XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) 	mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1473
8 	js_Invoke 	mozilla/js/src/jsinvoke.c:1287
9 	js_Interpret 	mozilla/js/src/jsinterp.c:4841
10 	js_Invoke 	mozilla/js/src/jsinvoke.c:1303

JS_GetFunctionName is involved each time.

Timeless told me in bug 411492 to assign it to Igor.

Comment 4

[Henrik Skupin [:whimboo][⌚️UTC+2]]

I'm able to deliver some information from my debug build. Crash happened when opening a message within Gmail (without having Venkman open).

#0  0x0101e251 in JS_GetFunctionName (fun=0x356de028) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsapi.c:4239
#1  0x0280e899 in jsd_GetScriptFunctionName (jsdc=0x29264a0, jsdscript=0x41ebc670) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_scpt.c:461
#2  0x0280dd81 in jsd_Constructing (jsdc=0x29264a0, cx=0x3cb2a540, obj=0x339fe280, fp=0xbfffaf88) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_obj.c:212
#3  0x02810970 in _callHook (jsdc=0x29264a0, cx=0x3cb2a540, fp=0xbfffaf88, before=1, type=2, hook=0, hookData=0x0) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_step.c:133
#4  0x02810f01 in jsd_FunctionCallHook (cx=0x3cb2a540, fp=0xbfffaf88, before=1, ok=0x0, closure=0x29264a0) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_step.c:285
#5  0x010818ae in js_Invoke (cx=0x3cb2a540, argc=3, vp=0x3e5b4810, flags=1) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsinterp.c:1262

(gdb) frame 0
#0  0x0101e251 in JS_GetFunctionName (fun=0x356de028) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsapi.c:4239
4239	    atom = FUN_ATOM(fun);
(gdb) p *fun
$2 = {
  object = {
    map = 0xdadadada, 
    fslots = {-623191334, -623191334, -623191334, -623191334, -623191334, -623191334}, 
    dslots = 0xdadadada
  }, 
  sfunOrClass = 3671775962
}

As I see now, the checked-in patch on bug 423874 was backed-out. I'll test with a clobber build again.

Comment 5

[Henrik Skupin [:whimboo][⌚️UTC+2]]

I cannot reproduce it anymore with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008033015 Minefield/3.0pre ID:2008033015

So it seems to be fixed by the backout of attachment 310878 [details] [diff] [review].

Comment 6

[Igor Bukanov]

This is fixed via backing out the check-in for bug 423874.